Conflict between SNI and HTTP provided domains
I have recently moved a WordPress website with a small store from a hosting provider to a server of my own running Ubuntu Server 12.04.2 LTS and Apache 2.2.22. I require SSL for the store. I set up a couple of simple vhosts on a new IP for the server, one binding to port 80 of the specific IP and the other binding to port 443. Both have ServerName www.example.com
and ServerAlias example.com
in the vhost config. I have SSLStrictSNIVHostCheck off
.
The site is running very slow, but is working. I'm getting the following in my error logs.
[Error] Hostname example.com provided via SNI and hostname www.example.com provided via HTTP are different
I expect that the slowness is related to the above message. Any ideas on why that is appearing and what I can do about it?
Solution 1:
Look at your access log (not the error log). With the time and date of the error you should be able to identify the offending request and find out the user agent. In my case, it was a bot:
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)"
My Server answers with HTTP 400: Bad Request.
Unless I am mistaken, in TLS negotiations, the client sends the host name twice: once BEFORE the SSL connection is established in the SNI (Server Name Indication) and once AFTER in the actual HTTP request. If the server names mismatch, this would indicate a broken client and should have nothing to do with how your server is configured.
Maybe they will fix their bot someday, in the meantime you can probably ignore it. I doubt this can cause slowness on the host, unless the requests come at a very high rate.
Solution 2:
Maybe this error is evoked intentionally by some clients to test vulnerabilities of your server. I have found that a request from researchscan367.eecs.umich.edu
triggered the error on a server I maintain. In this case it is a good thing® that the error occurs.
I was curious what kind of attacks are possible, and I asked this question on Security Stack Exchange: What kind of attack is prevented by Apache2's error code AH02032?
Solution 3:
In my case the creation of a new virtualhost with an underscore was the problem. I have a wildcard SSL certificate.
Didn't work:
<VirtualHost *:443>
SSLEngine on
ServerName sub_domain.example.com
Redirect / https://www.example.com/restofmyredirectlink
</VirtualHost>
Although Apache did successfully restart, I got HTTP 400 errors. In the error log:
[Wed Sep 05 11:28:00.349960 2018] [ssl:error] [pid 19906:tid 140392626808576] AH02031: Hostname sub_domain.example.com provided via SNI, but no hostname provided in HTTP request
But removing the underscore worked:
<VirtualHost *:443>
SSLEngine on
ServerName subdomain.example.com
Redirect / https://www.example.com/restofmyredirectlink
</VirtualHost>
Solution 4:
Sounds like a client issue at first look... What browser is causing this issue?
The message would suggest the hostname the client sends during the ssl connectionsetup is not the same the client sends in the HTTPS request once the SSL layer is up.